jefferyxhy opened a new pull request, #914:
URL: https://github.com/apache/struts/pull/914
WW-5409
**Reason**
Extending packages is a very useful capability of Struts but there are some
quirks, that if a developer is not aware of, can lead to critical
vulnerabilities. One such misunderstood quirk is the default-interceptor-ref
element.
e.g. a parent package add permission interceptor for its action (say
**Action A**), while child package extends parent package will inherit its
actions but not interceptor. So if the develop is not aware of this, then
Action A is now exposed with permission vuln through child package's namespace.
**Changes/ Solution**
introduce new `final` attribute on `package` element which will make it is
unextendable
**Result & Impact**
* By default, package `final` attribute is implied as `false`, so no
difference.
* Set package `final` attribute explicitly as `true`, will make this package
unextendable, so any extends to this package will cause a
ConfigurationException to be thrown during application struts config xml load
step.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
